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1 Introduction 

Dynamic logic [5, 6, 15, 16] applies concepts from modal logic to a relational semantics of 
programs to yield various systems for reasoning about the before-after behavior of programs. 
Analogous to the modal logic assertions Op (possibly p) and Op (necessarily p) are the dynamic 
logic constructs <a>p and [a]p. If a is a program and p is an assertion about the state of a 
computation, then <a>p asserts that after executing a, p can be the case, and [a]p asserts that after 
executing a, p must be the case. 

A dynamic logic includes both a programming language for representing programs and an 
assertion language for expressing properties of computation states; different dynamic logics result 
from the selection of different programming and assertion languages. The underlying assertion 
language of propositional dynamic logic or PDL [5, 6, 16] is the prepositional calculus; its 
programming language consists of regular expressions over uninterpreted program labels and tests, 
i.e., the programming primitives are black box programs, and more complicated programs are built 
up using the nondeterministic control structures of sequencing, testing, choosing, and iterating. 

Although PDL can express many interesting properties of programs, Pratt has shown that 
it is not powerful enough to capture the notion of infinite looping in regular programs [16]. 
However, by adding a natural formula construct delta to PDL, we obtain a programming logic 
strong enough to express a useful propositional notion of infinite looping. The resulting logic is 
also strong enough to express all formulae of two other propositional logics of programs: 
Mirkowska's Propositional Algorithmic Logic {PAL) [12] and Ben-Ari's, Manna's, and Pnueli's 
Unified Logic of Branching Time (UB) [1]. 

A striking feature of PDL is that it satisfies the following finite model property: an 
arbitrary (perhaps infinite) model of a PDL formula p can be reduced to a small finite model of p 
by merging those states which satisfy exactly the same subformulae of p. This property plays a 
key role in the known decision procedures for PDL [5, 17]. This technique does not extend to 
deha-PDL, since there is a formula which is satisfiable in an infinite model which cannot be 
reduced to a finite model by merging states. This della-PDL formula is therefore not equivalent to 
any PDL formula, and so delta-PDL is strictly more expressive than PDL. Nevertheless, we shall 
see that della-PDL is decidable and does satisfy a finite model property. 

Pratt's original formulation of dynamic logic included the programming construct converse 
[15]. Given a program a, the converse of a is the program which nins a backwards, i.e., which 
undoes all the computations performed by a. Converse- PDL, the extension of PDL to include the 
converse construct, satisfies the same finite model property as PDL and the known decision 
procedures for PDL extend without difficulty to converse- PDL [5, 17]. 
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The two constructs delta and converse interact to make delta- converse-PDL significantly 
different from either delta-PDL or converse-PDL. Delia-converse- PDL does not satisfy the finite 
model property: there is a formula satisfiable in an infinite model but not in any finite model. 
This proves that della-converse-PDL is strictly more expressive than either delta-PDL or converse- 
PDL. The failure of a logic to satisfy the finite model property is often taken as an indication of 
its undecidability, but in this case the evidence is misleading; delta-converse- PDL is in fact 
elementarily decidable, viz., decidable in time bounded by an eightfold composition of exponential 
functions. 

There is a straightforward proof of the decidability of delta-PDL by embedding it into 
SnS, the second order theory of several successors [21]. (This method was used by Parikh to prove 
the decidability of a logic which he called Second Order Acyclic Process Logic (SO A PL) [14].) The 
upper bound on the complexity of delta-PDL obtained in this way is not elementary, since SnS 
cannot be decided in elementary time [10]. In any case, there does not appear to be a 
straightforward embedding of delta-converse-PDL into SnS. 

Models of delta-PDL and SO A PL formulae can be viewed as labelled graphs. These 
graphs can be unravelled or unwound into tree-structured models in which programs conform to 
the tree structure, i.e., programs connect nodes only to their descendants in the tree. The 
translation of these logics into SnS depends crucially on this fact. The decidability of SnS can be 
established via a reduction to the emptiness problem of automata on infinite trees [18]. A 
quadruply exponential time decision procedure for delta-PDL can be obtained by directly reducing 
delta-PDL satisfiability to this emptiness problem, bypassing the translation into SnS [22]. The 
reduction involves the construction, for each formula p, of an automaton which accepts, in some 
sense, models of/). It follows by automata theoretic arguments that every satisfiable formula has a 
finitely generablc model, i.e., a model obtained by unravelling a finite graph. It is not difficult to 
show that this finite graph is itself a model, so that delta-PDL does satisfy the finite model 
property. The quadruply exponential upper bound on the computational complexity of delta-PDL 
can be improved by an exponential factor by showing that the automata used to decide delta-PDL 
satisfiability belong to a special class whose emptiness problem is exponentially easier than the 
general case. 

Models of delta-converse-PDL formulae are also labelled graphs and these graphs can also 
be unwound into tree-structured models. However, unlike the tree models for the previous logics, 
programs in delta-converse-PDL tree models do not conform to the underlying tree structure; 
programs can link arbitrary nodes of the tree. The presence of such programs prevents a 
straightforward reduction of delta-converse-PDL to the emptiness problem for automata on infinite 
trees. However, the semantics of the converse construct suggests a definition of deterministic two- 
way automata on infinite trees such that the satisfiability problem for della-converse-PDL is 
reducible to the emptiness problem for these newly defined automata. The decidability of delta- 
converse- PD I. follows from a reduction of the two-way emptiness problem to the ordinary or one-. 



35 



In addition, Parikh showed that adding additional axioms 

(9) p -» [a]<a~yp 

(10) p -* [a~]<d>p 

to the above complete axiomatisation for PDL yields a complete axiomatisation for converse-PDL 
[13]. A natural question to ask is whether there is are one or more axioms concerning the A 
construct which, when added to the above complete axiomatisations for PDL and converse-PDL, 
yield complete axiomatisations for delta-PDL and delta- converse- PDL. 

Conjecture: The following two axioms 

(11) Aa *+ <a>Aa 

(12) [a*](p -* <d>p) -+ (p -* A a) 

are sufficient to produce complete axiomatisations for delta-PDL and delta-converse- PDL. 

The complexity theory results in this thesis have depended very heavily on results 
concerning finite automata on infinite trees. Below are two interesting open problems concerning 
two-way automata. 

Open Problem: Can nondeterministic two-way automata be simulated by one-way automata? 

Open Problem: How many states are required to simulate a two-way automaton with a one-way 

automaton? In particular, is there, for infinitely many n, a two-way automaton with n states which 

-> n "i l 

cannot be simulated by a one-way automaton with less than 2" (or 2 l or 2 Z or 2 Z ) states? 



way emptiness problem. 

Although delta-converse- PDL does not satisfy the finite model property, the models of a 
delta- converse- PDL formula are recognizable by a finite automaton. As before, it follows that 
every satisfiable formula has a finitely generable model, i.e., a model obtained by unravelling a 
finite graph. Although in general this finite graph is not a model of the original formula, it is a 
representation of a model, so that delta-converse- PDL satisfies a finite representation property. 
This clarifies why the logic is decidable. 

Most of the results in this thesis which concern delta-PDL originally appeared, in different 
form, in the author's Master's thesis [22]. A preliminary version of the results in this thesis 
concerning delta-converse- PDL appeared in the Proceedings of the Thirteenth ACM Symposium on 
the Theory of Computing [23]. 
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6 Conclusions and Open Problems 

The main results of this thesis are elementary recursive decision procedures (i.e., algorithms 
which run in time 0(exp m n) for some m, where n is the length of the input) for delta-PDL and 
delta- converse- PDL. The existence of these algorithms establishes upper bounds on the 
computational time complexity of the satisfiability problem for these logics. Unfortunately, the 
best lower bound for these logics is the following one proved by Fischer and Ladner for PDL. 

Theorem 6.1 [6]: There is a constant c > 1 such that PDL (and hence its extensions) cannot be 
decided in time c", where n is the length of the formula tested. 

The large gaps between the best known upper and lower bounds, doubly exponential in the 
case of delta-PDL and septuply exponential in the case of delta- converse- PDL, leave room for 
further work in the complexity theory of these logics. 

Open Problem: What are the exact computational complexities of delta-PDL and delta-converse- 
PDL1 In particular, does either or both require doubly exponential time to decide? 

Since PDL is dccidablc, it has an uninteresting complete recursive axiomatisation: the set of 
all valid formulae. However, one would still like to find a simple and natural complete 
axiomatisation. In the case of PDL, a completeness proof for the following set of axioms was first 
announced by Segerberg [20]; the first complete proof to appear is due to Parikh [13]. 



Axioms: 



(1) All the tautologies of the propositional calculus 

(2) [a](p ~> q) -» ([a]p -+ [a]q) 

(3) [a;b]p ~ [a][b]p 

(4) [aUb]p ** [a]p & [b]p 

(5) [a*]p -> p & [a\p 

(6) [a*]p -+ [a*][a*]p 

(7) [a*](p -* [a]p) -* (p -* [a*]p) 

(8) [p?fo ~ (p - q) 



Rules of Inference: 



(Modus ponens) If p and p -* q are theorems, then q is a theorem. 
(Generalization) If p is a theorem, then so is [a]p. 



2 Syntax, Semantics, and Expressive Power 

In this chapter we formally define the syntax and semantics of delta- converse- PDL (which 
contains PDL, delta-PDL, and converse-PDL as sublogics). We then show how a large number of 
logical constructs used in proving program correctness can be expressed in delta- converse-PDL. 
We next prove some relationships between delta-converse- PDL, its various sublogics, and. two other 
propositional logics of programs, the Propositional Algorithmic Logic (PAL) of Mirkowska [12] and 
the Unified Temporal Logic of Branching Time (UB) of Ben-Ari, Manna, and Pnueli [1]. 

We are given a set n o whose elements are called atomic programs and a set 3> whose 
elements are called atomic formulae. Capital letters A, B, C, . . . from the beginning of the 
alphabet will be used as variables over n o , and capital letters P, Q, R, . . . from the middle of the 
alphabet will be used as variables over <J> . 

The set of programs, n, and the set of formulae, $, of delta-converse- PDL are then 
defined inductively (note the use of letters a, b, c, ... as variables over n and p, q, r, . . . as 
variables over <&): 

ri: (i) n c n 

(2) If a, b € II then a;b, aUb, a*, a" £ U 

(3) If p € <P then pi € n 
0: (1) % C <J> 

(2) If p £ <J> then -i/> € 

(3) If a € n and p £ O then <d>p, Aa € $ 

The sublogics of delta-converse- PDL are defined as follows. The formulae and programs of 
converse-PDL are those not containing any occurrence of A a. The formulae and programs of 
delta-PDL are those not containing any occurrence of a . The formulae and programs of PDL 
are those containing neither Aa nor a . 

Definition: A structure is a triple -S = <£/, t= s , <>£> where 

(1) U is a non-empty set, the universe of states. 

(2) \= s is a satisfiability relation on the atomic propositions, i.e. a predicate on U x n o . 

(3) <> s assigns binary relations on states to the atomic programs. 

Definition: A structure S — <U, N=^ s <>^> is a tree structure if and only if U is a tree and for all 
suites u and v and atomic programs A, u<A> s v only if u and v are neighbors in the tree, i.e., either 
v is a successor of u or vice versa. The tree structure S is one- way if and only if for all states u 
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Note. The above proof does not extend to dtliQ-eemtm-PDL, since in general program with 
convene can repeatedly it infinite paths hi the teneattaf fcnjih of a fi nitely tc oc ra bfc 



without fitting the 
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and v and atomic programs A, u<A> s v only if v is a successor of u. 

Definition: Given a structure S, t= s and <> s can be extended to arbitrary formulae and programs 
as follows: 

(1) u N= 5 —>p iff not u t= s p. 

(2) u h=£ <a>p iff 3v. u<a> s v & v N^ p. 

(3) u t= s Aa iff 3w Q , t^, . . . such that h q = k and 
V« > 0. u n <a> s u n+v 

(4) u<a\b> s v iff 3w. w<a>^w and w<Z)>^v. 

(5) u<aUb> s v iff w<a>^.v or u<b> s v. 

(6) u<a*> s v iff «<fl> 5 ,*y. 

(7) u<a > s v iff v<a> 5 .«. 

(8) u<p1> s v iff « = v and u \= s p. 

If a and 6 are programs, then a; b is the program which executes first a, then b. The programming 
connectives U and * are nondcterministic; if a and b are programs, then aUb is a program which 
permits a choice of either a or b, and a* is a program which permits a choice of some number 
(possibly zero) of iterations of a. If p is a formula, then the program pi can be thought of as an 
abbreviation for if p then skip else abort, i.e., it permits execution to proceed if p is true and 
interrupts execution if p is false. If a is a program, then a is the converse of a, i.e., it undoes the 
computations performed by a (however, since a can take several input states to the same ouput 
state, doing a followed by a can take a state to some other state besides itself). If o is a 
program, then A a is a formula which is true whenever there is a way to repeatedly execute the 
program a without stopping. 

The primitive constructs of delta-converse- PDL can be used to define many other interesting 
constructs as abbreviations. For example: 

A correctness assertion : [a]p = df ~~ Ka>~ '/> 

Boolean operators: P&-Q- d{ <p1>q 

pV q= df - > p^>q 

p++ q= d{ (p-+ q)8i{q-*p) 

Fropositional constants: true — df P V ~> P 

false = d{ P&->P 
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Rabin [8, 19] has shown that every nonempty automaton recognizable set of infinite trees 
contains a finitely generable tree, i.e., an infinite tree which can be obtained by unwinding a finite 
graph. Although delta-converse- PDL does not satisfy the finite model property, Rabin's result 
shows that every satisfiable della-converse-PDL formula has a finite representation. In the case of 
deha-PDL formulae, however, it is possible to transform the generating graph for an image for the 
formula into a finite model. 

Theorem 5.11: For all deha-PDL formulae p, if p is satisfiable, then p has a finite model. 

Proof. If p is satisfiable, then by the preceding results, there is a scheme S = <T N+l , N^, <>^> 
for p whose image /is finitely generable. Hence there is a finite subtree T of T N+l and a 
generating map /: fronl{T) -* int(T) such that/= f° J*. Define a finite structure R - <T, t= R , 
<> R > as follows. For x G T and P an atomic program, let x t= R P iff x )= s P. For x and y € T 
and A an atomic program let x<A> R y iff either x G inl{T) and x<A> s y or x G front{T) and 
J(x)<A> s y. We will prove, by structural induction on formulae, that for all y G T N+1 and q a 
subformula of p, y t= s q if and only if J*(y) \= R q. 

If q is an atomic subformula P, then y t= s P iff J*(y) \= s P, since the image of S is generated by 
T and J. By the definition of R, J*(y) N^ P iff J*(y) t= R P. If ^ is a negated subformula, then y 
\= s q iff 7*0') t^x 1 follows from the inductive hypothesis and the definition of negation. 

If q is a diamond subformula <a>r, then suppose y i= s <d>r. Then by Lemma 5.2 there must be 
an execution sequence b^ • ■ ■ b k G L{a;r1) and a sequence {>„lo< n <yt of elements of 7^ +1 
such that >' = >' and for < n < k, y n ^b n+l > s y n+v We leave it to the reader to verify that for 
< n < k, J*{y n )<b n+l > R J*(y n ), so "that J*{y = y$ *= R <a>r. 

Conversely, suppose x = J*(y) and x i= R <d>r. Then there must be an execution sequence 
b x ■ ■ ■ b k G L(a;rl) and a sequence {*„}()<„<£ °f elements of T such that jc q = x and for 
< n < &, ■* n ^„ + i^ 1 s"X n+ i- Inductively define a sequence {>'„} <n</t °^ e ' ernents °f ^/v+l as 
follows. Let >' Q = y and having defined y n define y n+1 in accord with the relationship between 
x„ and jc„ , -,. If b„ , -, is a test, then jc„ , , = x, so let y„ , , = y„. Otherwise, &„ , , is an atomic 
program (since /> is co« verse- free), and x n+1 is a successor,' the »?//j say, of x n if x n € /h/(7), or of 
J(x n ) if jr n G front(T). In this case let >> +1 be the m//z successor of y. It is now straightforward to 
prove that J*(y„) - x n for n < k, and that J , „^„ + i^.y„ + i for < n < &. Hence, y t= s <a>r. 

If q is a delta subformula Aa then _y N^ Aa if and only if J*(y) i= R Aa follows by an 
argument almost identical to the previous one for diamond subformulae. We conclude that A t= R 
p, since A )f= s p and p is a subformula of p. Therefore the structure R is a finite model of p. 



Program constants: skip = df truel 

abort = df false] 

Deterministic control structures: 

ifp then a else b = df ipl;a) U C -1 /??; ft) 
wMe /? do a = df {p1;a)*;—*p1 

Dijkstra's guarded commands [3]: 

IFp^a\\q-+bFI = df (p?;o) U (??;Z>) 
DOp-*a\\q-^bOD = df ((p?;a) U (</?;6))*;(-i/> &-"<?)? 

de Bakker's weakest preconditions [2]: 

de Bakker's strongest postconditions [2]: 

fl< "^ = df <fl ^ 
Hoare's partial correctness assertions [7]: 

P\a}q =tfP-*[a]q 

A well-foundedness or convergence assertion: 

Va - d( ->Aa 

An infinite looping assertion [6, 11, 16], defined inductively: 

ooa = df false 

cc(a;b) = d{ <X>aV<a>cob 

co(aUb)= dr cOaV cob 

oo(fl*)= df <fl*>ooaVAa 

oo(p?) = df false 

(Alternatively, one can amend the syntax by adding the oo^'s to n o , allowing structures to 
decide arbitrarily which primitive programs loop and which do not.) 

Dijkstra's weakest precondition operator [4]: 

wp(a, p) - df [a]p & <a>lrue & -><X)a 

Definition: If p € <I> and S is a structure, then S is a model of p or ,S' satisfies p if and only if u 
t= s - p for some u € V, and p is salisfiable if and only if some structure satisfies p. The 
satisfiability problem for delta- converse- I'DI, is the problem of deciding whether or not an arbitrary 
delta-converse-PDI. formula is satisfiable. 
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converse-PDL satisfiability can be decided in time 0(exp 8 k), where k is the length of the formula 
tested. I 

Theorem 5.9: Given a delta- PDL formula p of length k, there is a deterministic complemented 
pairs automaton A with no more than 0(exp exp k) states and 0(exp k) pairs, which accepts 
exactly the images of one-way schemes for p. Furthermore, A can be constructed in time 
0(exp exp k). 

Proof. The proof is very similar to that of Theorem 5.7. By Corollary 5.6, it is sufficient to 
construct an automaton accepting exactly the N+l-ary 2 -trees satisfying the conditions (l)-(7) 
and an extra condition: (8) fx) contains no negative literals, for all x. It is straightforward to 
construct a complemented pairs automaton B with three states (a start state, an accepting state, and 
a failure state) and one pair which accepts exactly the trees satisfying conditions (1), (2), (5), (6), 
and (8). On the assumption that condition (8) is fulfilled, only forward paths need be considered 
to check conditions (4) and (7). It is not difficult to construct complemented pairs automata C n 
and D n which check conditions (3) and (4) respectively and which have exactly one pair and no 
more than 0(exp k) states. 

Given a deterministic m state automaton recognizing a regular set X (not containing the empty 
string) over an alphabet 2, a construction of McNaughton's [9] yields a deterministic pairs 
automaton on infinite strings, with 0(exp m) states and 0(m) pairs which accepts exactly the 
infinite strings in 2*;JT^ Since McNaughton's machine is a deterministic pairs automaton on 
infinite strings, it can be viewed as a complemented pairs automaton accepting exactly the infinite 
strings not in 2*; X 00 . 

For Aa € cl(p), let E a be the complemented pairs automaton resulting from applying the above 
construction to a deterministic automaton, accepting {tjq^ ■ ■ • b k t\ k £ C(a) \ k > 1 and 
Ac £ Tj }. Let F a be an automaton on infinite trees which, runs the automaton E down every 
path from the root in order to reject any tree containing a node x such that Aa € fix) and an 
infinite path from x which a repeatedly fits. Each F a can be constructed to have no more than 
0(exp exp k) states and 0(exp k) pairs. 



Finally, the automaton B and the C \ D n \ and F fl 's can be combined in a cross-product 

construction to yield the desired A . A has no moi 

J p p 

and can be constructed in time 0(exp exp k). 



construction to yield the desired A . A has no more than 0(exp exp k) states and 0(exp k) pairs 



Theorem 5.10: The satisfiability problem for delta- PDL is decidable in time 0(cxp 3 k), where k is 
the length of the formula tested. 

Proof. Given a formula p of length k. Theorem 5.7 constructs a complemented pairs automaton A 
on infinite /V+l-ary trees with no more than 0(cxp exp k) states and 0(cxp k) pairs such that A 
accepts some tree if and only if/; is satisfiablc. By Theorem 3.8. the emptiness problem for A can 



be decided in time <?(exp 3 A). 



Definition: If p £ and S is a structure, then p is valid in S if and only if u t= s P for all « € [/, 
and p is valid if and only if p is valid in all structures. 

Definition: A set JV of formulae expresses a second set Y of formulae if and only if for every formula p 
€ Y there is a formula g € Y such that p *-+ q is valid. The set X is more expressive than the set y if 
and only if X expresses Y but Y does not express X. 

The following theorems rank delta-converse-PDL and some of its sublogics with respect to expressive 
power. Theorem 2.1, due to Fischer and Ladner, establishes a property of PDL and converse-PDL 
formulae which Theorems 22 and 2.3 show is not shared by all della-PDL and delta-converse-PDL 
formulae. We conclude that della-PDL is more expressive than PDL, that delta-converse-PDL is more 
expressive than either della-PDL or converse-PDL, and that converse-PDL does not express <fe/ta- 
PDL. Finally, Theorem 2.4 shows that converse-PDL is more expressive than PDL and that della-PDL 
does not express converse-PDL, so that converse-PDL and della-PDL are incomparable in expressive 
power. 

Theorem 2.1 [5]: Converse-PDL (and hence also P/)L) satisfies the collapsing finite model property: 
every model of a formula cannot be collapsed to a finite model by identifying states. The resulting 
finite model has at most 2" states, where n is the length of the formula. 

Theorem 2.2: Delta- PDL does not satisfy the collapsing finite model property; there is a formula with 
an infinite model which cannot be collapsed to a finite structure without altering the truth value of the 
formula at some state. 

Proof. Consider an infinite structure S with an infinite reverse ,4-chain (i.e., a sequence {"„}„>o 
of states such that u„.AA><m„ for all n), but no infinite forward /1-chains (i.e., sequences 

ft ~t 1 tj ft 

{"Jn>0 ° f StateS SUCh that U n <A> S u n+l ioV a11 ")• Then for every State U al ° ng ^ reverse A ~ 

chain, u h=^ -iAA However, S cannot be collapsed to a finite structure T without identifying 
two distinct states, u and v say, on the chain. If w is the collapse of u and v in T, then 
w<A;A*> T w, and hence w ¥= T AA. I 

Theorem 2.3: Delta-converse-PDL does not satisfy the finite model property; there is a satisfiable 
formula which is not satisfied in any finite model. 

Proof. Consider the satisfiable formula AA & -><A*>A(A~). If u Q t= 5 AA & ~i<A*>A(A~\ 

then Uq t= s AA and u Q ¥= s ~><A*>A(A ). Hence there is an infinite ,4-chain u Q <A> s u } • ■ ■ 

y^> 5 « n+1 • ■ ■ . If u t = u. for any / < j, then u. i= s A(A ) and so u Q t= s <A*>A(A ), a 

contradiction. So all the u i are distinct. Hence, A A & -i</l*>A(/l ) is satisfiable only in 
infinite models. I 
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Proof. A straightforward extension of the preceding proof. I 

Theorem 5.7: Given a delta-converse- PDL formula p of length k, there is a deterministic two-way 
tree automaton A which accepts exactly the images for p. Further, A need have no more than 
0(exp exp k) states and can be constructed iri time 0(exp exp k). 

Proof. By Lemma 5.5, it is sufficient to construct an automaton accepting exactly the N+l-ary 2 - 
trees satisfying the conditions (l)-(7), where N < k is the number of diamond subformulae of p. 
It is straightforward to construct an automaton B with four states (two start states, an accepting 
state, and a failure state) which accepts exactly the trees satisfying conditions (1), (2), (5), and (6). 

For 1 < n < N, let A be a deterministic automaton on finite strings which accepts the regular set 
C(a n ;q n l). The A 's can be constructed to have no more than 0(exp k) states. Let C n be an 
automaton on infinite trees which, for every node x in the tree labelled with <£„><?„, runs the 
automaton A n down the path x;{xnO m } m -- > Q, looking for an initial segment which the program 
c',qJl fits. Let Z) be an automaton on infinite trees which, for every node x in the tree not 
labelled with <a n >q n , runs the automaton A down every path starting with x, rejecting the tree if 
a n ;q n 1 fits any finite path starting with x. The C n 's and Z> n 's can be constructed to have no more 
than 0(exp k) states. 

Given a deterministic m state automaton recognizing a regular set X not containing the empty 
string, there is a construction, due to McNaughton [9], of a deterministic automaton on infinite 
strings, with no more than 0(exp m) states, which accepts exactly the infinite strings not in X^. 
For Afl £ cl(p), let E a be the result of applying McNaughton's construction to a deterministic 
automaton accepting {tjq^i ' ' ' b k rj k -£ C(a) | k > 1}. Let F Q be an automaton on infinite trees 
which, for every node x not labelled with A a, runs the automaton E a down every path from x in 
order to reject any tree containing a path from x which a repeatedly fits. F a can be constructed to 
have no more than 0(exp exp k) states. 

Finally, the automaton B and the C 's, D n 's, and F fl 's can be combined in a cross-product 
construction to yield the desired A . A has no more than 0(exp exp k) states and can be 
constructed in time 0(exp exp k). I 

Theorem 5.8: The satisfiability problem for delta- converse- PDL is decidable in time 0(exp 8 k), 
where k is the length of the formula tested. 

Proof. Given a formula p of length k, Theorem 5.7 constructs a two-way automaton A on infinite 
yV+l-ary trees with no more than 0(exp exp k) states such that A accepts some tree if and only if 
p is satisfiable. By Theorem 5.10, there is an equivalent one-way automaton B on infinite A^+l-ary 
trees with no more than (7(exp 6 k) states. It is straightforward to construct a one-way automaton 
C on infinite binary trees with no more than 0(N+1 exp 6 k) = 0(cxp 6 A) states, whose emptiness 
problem is equivalent to /?'s. The emptiness problem for one-way automata on infinite binary 
trees is decidable in time fXcxp exp /?/), where m is the number of states [8, 18]. Therefore, delta- 



10 



We shall prove later (see Lemma 5.3) that delta-converse- PDL satisfies a tree model property; every 
satisfiable delta-converse- PDL formula has a tree model. For delta-PDL a stronger property holds: 
every satisfiable delta-PDL formula has a one-way tree model (see Corollary 5.4). 

Theorem 2.4: Converse-PDL (and hence also delta- converse- PDL) does not satisfy the one-way tree 
model property; there is a satisfiable converse-PDL formula which is not satisfied in any one-way 
tree model. 

Proof. Consider the satisfiable formula P & <AXA'>~<P. Suppose u \= s P & <AXA~>->P, where 
S is a one-way tree model. Then u i= s P and there is an immediate successor v of u such that 

v t= v <A~>->P, so that there must be a state w such that w<A> s v and w N^ ->?. Since S is a 
one-way tree model, w must be the parent of v, so w - u. But this is impossible, since we have 
u \= s P and w t= s ->P. I 

The remainder of this chapter relates the expressive power of delta-PDL to that of two other 
propositional logics of programs: the Propositional Algorithmic Logic (PAL) of Mirkowska [12] and 
the Unified Temporal Logic of Branching Time {UP.) of Ben-Ari, Manna, and Pnueli [1]. UB is an 
intensional logic of programs, as opposed to PDL and PAL, which are extensional. Programs 
appear explicitly in the formulae of PDL and PAL, and different formulae can refer to completely 
different programs. The formulae of a temporal logic do not explicitly refer to programs; rather, 
every formula is taken to refer to a single program, which is fixed by the choice of a [/^-structure. 

Definition: The formulae, U UB , of UB, are defined inductively as follows: 

(i) n c n UB 

(2) If p, q £ Tl UB , then -ip, p V q, 3Xp, 3Fp, 3Gp € II m 

Definition: A f/B-structure is a tuple S = <U, *=$, => s > where U is a set of states, N= 5 is a 
satisfiability relation on the atomic propositions, and => 5 is a total binary relation on U (i.e., for 
every state u there is at least one state v such that u => s v). 

Definition: Given a £/£-structure S - <U, N^, =>^>, t= s can be extended to all UB formulae as 
follows. 

(1) u t= s -ip iff not u \= s p. 

(2) u t= s p V q iff u N=£ p or u \= s q. 

(3) u t= s IXp iff 3v. u => s v and v t= s p. 

(4) u N^ 3F/? iff 3v. u => s * v and v 1=^, p 

(5) u \= s 3Gp iff there is an infinite sequence {"„}„> °f states such that « = u and 
for all n, u n \= s p and u n => s u„ +1 . 

The logic UB is a temporal logic of discrete branching time; given a program a, the binary relation 
=> s relates computation states at time / to possible computation states at the next time / + 1. 
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(2) if x i+1 is the predecessor of x f then the inverse of b (+1 € fix). 

Remark: A program a fits a singleton path x if and only if there is a compressed execution 
sequence r\ € C{a), consisting of a single set of subformulae of p, such that t\ C fix). If /is the 
image of a one-way scheme and if a is a converse-free program, then a can fit only forward paths 
and only condition (1) is needed to determine the forward paths which a fits. 

Definition: Given a 2 -tree f, a program a repeatedly fits an infinite path {*„}„>() if an d only if 
there is a infinite, increasing sequence of indices {/'}.>o such that / = and a fits {*„},• <«</. 

for ; > 1. ■ ~" • 

Lemma 5.5: A 2 -tree / is an image for p if and only if the following conditions are satisfied 

(1) P € fiM 

(2) for -iq € cl{p), ~ l <7 £ fix) if and only if q $ fix). 

(3) if <a„>q n € fix), then there is an initial segment it of the infinite path x;{xr^) m } m ^. Q such 
that a'qfl fits m. 

(4) if <a n >q n € fix), then for. all finite paths m starting at x, a n ;q n 1 does not fit n. 

(5) for Aa € clip), Aa € Xjc) if and only if <a>Aa € fix). 

(6) for Aa € cl(p), if a fits the singleton path x, then A a € 7(jr). 

(7) for A a 6 c/(/>), if A a € fix), then for all infinite paths -n starting at x, a does not 
repeatedly fit m. 

Proof: We leave it to the reader to verify that an image for p satisfies (1) - (7). Conversely, given 
a N+l-ary 2 -tree /satisfying (1) - (7), we can define a two-way tree structure S = <T N+l , t= s , 
<> s > by letting x \= s P iff P 6 fix) and x <A> s y iff either y is a successor of x and A € fix) or y 

is the predecessor of x and A € /x). The reader can verify that / is the image of S. We 
proceed, using structural induction on formulae and conditions (2) - (7), to establish that for all x 
€ T N+1 and q € clip), x \= s q iff q € fix). 

If q is an atomic subformula P, then x N=^ P iff P £ fix) follows from the definition of S. If q is 
a negated subformula T, then x t=^. ~~ >r iff ~ >r € ./U) follows from condition (2). If ^ is a 
diamond subformula <tf„><7„, then (jc l= 5 ^^Ir) ~* (^^ € .A*)) follows from condition (4), 
and i<a n >q n 6 fix)) -»• (x N=^ <a n >q n ) follows from condition (3). If q is a delta subformula Aa, 
then ix \= s Aa) -* (Aa € fix)) follows from conditions (4), (6), and (7), and (Aa £ fix)) -* ix 
t= s Aa) follows from conditions (3) and (5). By condition (1), A N=^p, and by condition (3), for 
1 < n < N, if x N 5 <a n >q ir then 3v. x < y < xnO 00 & x<a n ;q n ?> s y. Hence S is a scheme for p. 



Corollary 5.6: If p is a delta-PDL formula, then a 2 -tree /is a one-way image for/? if and only if 
conditions (1) - (7) above arc satisfied and, for all x, fix) contains no negative literals. 
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The formula 3Xp is true in a state at time / if that state can become, at time t + 1, a state in 
which p is true. The formula 3Fp is true in a state at time / if that state is or can become, at some 
later time / + n, a state in which p is true. The formula 3Gp is true in a state at time t if from 
that state there is an infinite sequence of successive states in which p is true. We can define three 
dual formulae: Vl> = df ^3X^p, VFp = df -^3F~<p, and VGp = df -i3G->p. The formula VXp 
is true in a state if /j is true in all possible next states. The formula VFp is true in a state if p is 
true in that state and in all possible future states. The formula VGp is true in a state if, from that 
state, every chain of successive states contains a state in which p is true. 

Definition: Let A be a fixed atomic program. Let f: ^ub ~* n ^ e a translation defined as 
follows. 



(i) n = 


P 






(2) (-^)t 


- 


-»(/>t) 




(3) (p V . 


?)t 


= (Pt v 


«t) 


(4) (3Xptf 


= 


<aXpV 




(5) (3F P n 


= 


<a*>(pV 




(6) OGWt 


= 


A«pt)?;>0 




Definition: If S = 


<u, 


•=^ =V 


is a 


structure in which 


N 


Sf = N .S 


and 



5 > is a [/^-structure, then let 5| = <U, \= s p <> s +> be any 

Theorem 2.5: UB is embeddable in della-PDL; if p is a UB formula satisfied at a state u in a £/5- 
structure S, then a N= 5 + pf . Further, p has a t/5-model if and only if [A*]<A>true & p| is 
satisfiable. 

Proof. By structural induction on formulae. I 

Proposition^ Algorithmic Logic is very similar to PDL. One major difference is that the semantics 
of programs in PAL is defined in terms of computation sequences rather than binary relations as 
in PDL (one might say that PAL has an operational semantics and PDL a denotational semantics). 
The other major difference is that PAL contains a powerful total correctness assertion for 
nondeterministic programs, D(a)p, which is true when every execution sequence of a terminates in 
a state in which p is true. Since the truth value of D(a)p depends on the presence or absence of 
nonterminating execution sequences of a, PDL does not express PAL. Delta- PDL, however, does 
express PAL. 
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arbitrarily. Finally, given 9, define a structure T = <T N+} , \= p <>f> by letting x \= T P if and 
only if <p(jc) N^. P and letting x<A> T y if and only if x and y are neighbors and <p(x)<A> s (p(y). 
By construction T is a scheme for p. I 

Corollary 5.4: Every satisfiable delta-PDL formula has a one-way scheme. 

Proof. Given a satisfiable delta-PDL formula p, construct the map <p as in the proceeding proof, 
but define T = <T N+1 , N= r <>j> by letting x \= T P if and only if <p(x) i= s P and letting 
x<A> T y if and only if y is a successor of x and <p(x)<A> s <p(y). By construction 7 is a one-way 
scheme for p. I 

Schemes are easily transformed into trees suitable for input to automata on infinite trees. 
The trees obtained in this way are automaton recognizable; this fact leads immediately to decision 
procedures for delta-PDL and delta-converse- PDL. 

Definition: If p is a delta-converse- PDL formula, n denotes the set of literals appearing in p. Let 
2 p = Powerset(cl(p) U lip. 

Definition: Given a scheme S — <T N ^ \= s , <>^> for a delta-converse-PDL formula p, the image 
of S is the A'+l-ary 2 -tree /such that for all x € T N+1 , fx) = {q € c/(p) | x N= 5 #} U {a € 
n I y<a> s x where ;> is the predecessor of x}. An image for p is an image of a scheme for p. 

Remark: If the scheme 5 is one-way and if /is the image of S, then for all x, fx) contains no 
negative literals. 

It is technically convenient to define a version of execution sequences in which all 
subsequences of tests are compressed into single sets of formulae. Note that it is no more difficult 
for a finite automaton to recognize the compressed execution sequences of a program than the 
ordinary execution sequences: if the latter set is accepted by a n state automaton on finite strings, 
then so is the former. 

Definition: Given a formula p, a compressed (with respect to p) execution sequence is a sequence 

^(A^i ' ^n-i^n^n °f a ^ ernat i n g literals and sets of subformulae of/?, beginning and ending with 

sets. The set of compressed execution sequences for a program a is C(a) = {t/q^tj^ • • • f\„.\b t fl n \ 

there exists q 01 l • • • q 0k Ib-^q^. ' • ■ q ]k lb 2 ' ' " b n q nl 1 ■ • • q nk ? € L{a), where each b t is a 

1 n 

literal, such that r\ i - {q jV . . . , q jk }, for < / < «}. 

Definition: Given a 2 -tree / a program a fits a path m - {^/}o</< n '^ anc * on 'y '*" * ere * s an 
compressed execution sequence ^l^i ' ' ' 1 Vi^« T 'n ^ ^(a) such that for < / < n, r\ i C fx ; ) and 
for < / < n, 

(1) if x j+ j is a successor of x f then b j+l € A x j+])- 
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Definition: The set of programs, n^^, and the set of formulae, $ PAL , of PAL are defined 
inductively as follows. 

n PAL : (i) n c n PAL 

(2) If a, b £ U pAL , then a\b, aUb, a* € U pAL 

(3) If p € ® PAL and a, b € n Pj4L , then j??, (/" p then a else b, 
while p do a 6 ^i pAL 

* PAL : (1) $ £ * PAL 

(2) If />, 9 € fc^, then -i/> € *^ L 

(3) If o € n^ L and /> € O^, then 0(a)p, U{a)p € O^ 

Definition: If 5 is a structure, then a configuration is a pair <w, -n>, where w is a state of S and w 
= <a 1 , . . . , a^> is a (possibly empty) sequence of programs. The configuration <«, tt> is /?«a/ if 
and only if m is empty. 

Definition: Given a structure 5, t= s can be extended to arbitrary PAL formulae and a binary 
relation => s on configurations can be defined as follows. If <«, m> => s * <v, t>, then we say that 
<u, m> yields <v, t>. If <«, w> is not final and in addition there is no configuration <v, t> such 
that <u, ir> => s <v, t>, then <u, tt> is a failing configuration. 

(1) « \= s —ip iff not « \= s p. 

(2) w l= 5 0(a)p iff <«, <a />?» yields a final configuration. 

(3) u k= s D(a)p iff <w, <a, />?» yields neither a failing configuration nor an infinite 
chain of configurations. 

(4) <u, <A, a v . . . , a^» => s <v, <a 1 , . . . , a^» iff m<j4> 5 v. 

(5) <w, <a;b, a v . . . , a A » => 5 <«, <o, b, a v . . . , a^». 

(6) <«, <aUft, a v . . . , a k » => s <u, <c, a v . . . , a^» iff c = a or c = £. 

(7) <u, <a*, a v . . . , ap>> => jS . <u, <fl x , . . . , a^». 

(8) <w, <fl*, -a-j, . . . , a£» => 5 <«, <«, a*, flj, . . . , £?£». 

(9) <h, </>?, a^ . . . , o'p> => 5 <«, <a 1 , . . . , a^» iff u N 5 p. 

(10) <«, <//" /? then a else b, a y . . . , a^> =* s <u, <c, a v . . . , a k » iff either 
u t= s p and c = a or u \= s ~>p and c = b. 

(11) <u, <while p do a, a lt . . . , a k » => s <u, <a v . . . , a k » iff w N= 5 p. 

(12) <w, <w/i/7c p do a, a v a k » =>^ <u, <a, while p do a, a p . . . , a k » iff 

« N ? —>p. 



27 

Definition: If a is a delta-converse- PDL program, then L(a), the set of execution sequences of a, is 
defined inductively as follows: 

(1) LIA) = {A} 

(2) L(a;b) = L(a);L(A) 

(3) L(a\Jb) = L(a) U 1(A) 

(4) Ua*) = (Ua))* 

(5) L(</?) = {q} 

(6) K^ _ ) = {,f} 

(7) Hia-.b)-) = L(b-;a) 

(8) U(aUb)~) = L(a U A") 

(9) U(a*Y) = I(( fl ")*) 

(10) L{(q1)-) = {<?} 

(11) L((a')") = L(a) 

Lemma 5.2: For all structures S - <U, t= s , <>^> and programs a, u<a> s v if and only if there is 
an execution sequence b l ■ ■ • b k € L(a) and a sequence of states {"„}o<„</t suc ^ t ^ lat u o = u ' 
«, = v and u<b„, !><&„,-, for < n < &. 

Proof. By structural induction on programs. I 

If p is a satisfiable deha-converse-PDL formula, Theorem 5.3 shows that /? has a special tree 
model, called a scheme, which is easily transformed into a tree suitable as input to a two-way 
automaton. A scheme is a tree structure in which p is satisfied at the root and diamond 
subformulae of p are satisfied along specific paths. If p is converse-free, i.e., a delta-PDL formula, 
then Corollary 5.4 shows that p has a one-way scheme, i.e., a scheme which is a one-way tree 
structure. 

Definition: If p is a delta-converse-PDL formula with diamond subformulae <a 1 ">q l , . . . , <a^>q N , 
then a scheme for pis a tree structure 5" = <T N+l , \= s , <> s > such that A t= s /> and for all states 
jc, if x t= s <a„>q n then 3y. x < y < jc«0 & x<a^,q^.>^y. 

Theorem 5.3: Every satisfiable deha-converse-PDL formula has a scheme. 

Proof. Suppose w Q N^ /;, where S = <U, N^, <>^>. We construct a a map 9: 7^+1 "^ ^ 
inductively as follows. Let <p(A) = u Q . Inductively, if x is in V and <jp(x) = w, then we consider, 
for each n, whether u \= s <«„></„■ If not, let tp(xnO m ) be arbitrary for all m. If so, then there is a 
state v such that u<a n ;q n l>^v. By Lemma 5.2, there is a sequence of states {",■}()<,'<£ an ^ an 



execution sequence Aj • ■ ■ b k 6 L(a n ;q^.) such that w Q = u, u n - v, and and u ,^, + ]^,s' w / + i 

>i ■ ■ ■ V 



for < / < k. Let m be the number of literals in A, ■ ■ ■ 5,. For 1 < /' < in, let qp(x«0 rl ) = 



u-, where 7 is the index of the /^literal in b } ■ ■ ■ b k . I ; or / > »;, let <p(xti0'~ ] ) be chosen 



13 

Remark: Note that 0(a)p and D(a)p are not dual to one another, i.e, D(a)p is not equivalent to 

-iO(a)-*p. Note also that D(ifp then a else b)q is sometimes true and sometimes false, but that 

n((pl;a)U(—ip1;b))q is always false, since 

<«, <((p?;a)U(-ip?;&));4?» yields <u, <p?, a, </?» and <«, <-tpl, a, ql», one of which must be a 

failing configuration. Hence if 'p then a else b cannot be defined, in PAL, to be an abbreviation of 

(p1;ayj(-*p1\b). Similarly, while p do a cannot be defined, in PAL, to be an abbreviation of 

(p?;o*);.-ip?. 

Definition: For each PAL program a, define a PAL formula fail(a)) as follows. 

(1) fail(A) = -iO(A)tnte 

(2) fail{a;b) = fail(a) V O(o)fail(b) 

(3) faiKaUb) = fail(a) V /a//(Z>) 

(4) /a//(a*) = 0(a*)fail(a) 

(5) /a/7(p?) = -«p 

(6) fail(if p then a else b) = (p & fail(a)) V (->p & /a//(i)) " 

(7) fail{while p do a) = 0((p?;fl)*)(p & /fl'te)) 

Lemma 2.6: For all structures S, states u, and P/1L programs a, u \= s fail(a) if and only if 
<w, <a» yields a failing configuration. 

Proof. By structural induction on programs. I 

Definition: Let $ be a translation from /ML formulae and programs to della-PDL formulae and 
programs defined as follows. 



(1) ft = P 

(2) (-./>)$ = -.(p*) 

(3) (O(fl)p)* = <fl*>(p*) 

(4) (D(fl)/»)* = -*((faiKa;pl))t V oo(at)) 

(5) A% - A 

(6) (a;6)* = (a%)-\b%) 

(7) (aU6)* = (a$)U(b$) 

(8) (a*)* = .(<#)* 

(9) (/>?)* = (/>*)? 

(10) (//" p //ie« a e/se i)t = // pt then a$ else b% 

(11) {while p do a)% - while pt do at 
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5 Satisfiability and Finite Models 

In this chapter the automata theoretic results of the previous two chapters are used to 
obtain decision procedures for delta-PDL and delta-converse-PDL The notion of a finitely 
generable tree is then employed to establish a finite model theorem for delta-PDL and a finite 
representation theorem for delta- converse- PDL. First, however, we precisely define the informal 
notions of the subformulae of a formula and the execution sequences of a program. 

Definition: If p is a delta-converse-PDL formula, then cl(p), the Fischer- Ladner closure, of p, is the 
least set of formulae such that 

(1) p e cl(p) 

(2) if -i? € clip), then q G clip) 

(3) if <A>q £ clip) or <A~>q € clip), then q € clip) 

(4) if <a;b>q € clip), then <aXZ>># € ci(p) 

(5) if <ia;b)~>q £ clip), then <b~;a~>q € c/(/>) 

(6) if <aU6>4 € clip), then <a>$ <£><? € clip) 

(7) if <(aU&)~><7 € clip), then <a"UZ>~>4 € c/0>) 

(8) if <a*>q € d(p), then q, <aXa*>q € c/(/>) 

(9) if <ia*)~>q € c/(/>), then <ia~)*>q £ c/(p) 

(10) if <rl>q € ciO'), then r, q £ clip) 

(11) if <ir?)~>q € c/(p), then <r>>q € c/(p) 
(12) 'if Afl € -clip), then <a>Aa € c/(p) 

Lemma 5.1: If p is a delta-converse-PDL formula of length n, then clip) contains at most « 
formulae. 

Proof. A straightforward extension of the corresponding proof for PDL [7]. I 

Definition: The elements of clip) are called the subformulae of />; this can be misleading, since 
<aXa*~>q and <a>Aa are, by the above definition, subformulae of <a*>q and Ao respecdvely. A 
subformula of p of the form <a>g is called a diamond subformula of />. 

Definition: Abusing predicate calculus terminology, we define a literal to be either an atomic 
program or the converse of an atomic program. Atomic programs will sometimes be called positive 
literals and converses of atomic programs negative literals. The inverse of a positive literal A is A 
; the inverse of a negative literal A is A. 

Programs in delta-converse-PDL are extended regular expressions over literals and tests, so 
each program denotes a regular set, the set of its execution sequences. 
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Lemma 2.7: For all structures S, states u of S, and P>4£ programs 4 <k <a» yields <v, 0> if and 
only u<<4> 5 v. 

Proof. By structural induction on programs. I 

IfffiBw Zft For all structures S, states u of & and PAL programs 4 <«t <a» yields an infinite 
chain if and only u N 5 °0(<4X 

Aoo/i By structural induction on programs. I 

Theorem 2.9: PAL is embeddable in deha-PDL, U, for all structures S, states u of S, and />j<I 
formulae # u \f* s p if and only u ¥* s p%. 

Proof. Follows directly from Lamas 16, 2.7, and 18, I 
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Proof. It is easy to construct, in time <9(exp exp m), a one-way automaton C, with no more than 
0(exp exp m) states, which accepts an infinite (E x C 5 )-tree/x g exactly when g is a plan for/ It 
is straightforward to construct, also in time 0(exp exp m), a nondeterministic automaton D on 
infinite strings, with no more than 0(exp exp m) states, which, when run along an infinite forward 
path of an infinite jV-ary C^-tree g, accepts exactly when that path violates either of the two 
conditions for goodness. McNaughton gives a construction which, given a nondeterministic 
automaton on infinite strings with k states, produces, in time 0(exp exp k), a deterministic 
automaton on infinite strings, with no more than 0(exp exp k) states, which accepts exactly the 
complement of the set of strings accepted by the original automaton [9]. Let E be the result of 
applying McNaughton's construction to D; let F be that automaton on infinite trees which runs E 
down every infinite forward path, so that F accepts g exactly when g is good. Finally, the desired 
automaton B. given an input tree f. F N -* 2, nondeterministically guesses a map g: T N -*■ C s 
while simultaneously running the automata Con/x g and F on g. By Lemmas 4.4 and 4.9, A 
and B accept the same trees. The automaton B has no more than 0(exp 4 m) states and can be 
constructed from A in time 0(exp 4 rri). I 
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3 One-Way Automata on Infinite Trees 

Automata on infinite trees, called one-way automata in this chapter to distinguish them 
from the two-way automata defined in the next chapter, have been extensively studied [8, 18, 19]. 
We briefly review the fundamental definitions and theorems. 

Definition: The set T N - {0, 1, . . . , N-l}* of strings of the first N nonnegative integers can be 
viewed as an infinite A-ary tree, in which the empty string A is the root and each string (or node) 
x £ T N has as its successors the strings xO, . . . , x(N-l). The descendant relation is the reflexive 
transitive closure of the successor relation; we write y > x when y is a descendant of x 
(alternatively, we can write x < y and say that x is an ancestor of y). 

Definition: A finite (infinite) forward path through 7^ is a finite (infinite) sequence m = {x n } of 
elements of T N , such that for all n, x n+1 is a successor of x n . 

Definition: If 2 is a finite alphabet, then an infinite N-ary 1,-tree is a function f. T N -*■ 1. 

Definition: A (nondeterministic) one-way automaton A on infinite N-ary 2-trees is a tuple 
<S, s, M, G> where 

S is the set of states. 

5 £ S is the initial state. 

M: S x 2 -*• Powerset(S N ) is the next state function. 

G C Powerset(S) is a set of accepting subsets. 

Definition: A run of A on an infinite A-ary 2-tree /is a function p: T N -*■ S such that p(A) = s 
and for all x £ T N , <p(xO), . . . , p(x(n-l))> £ M(p(x), J{x)). 

Definition: If p is a run of A on / and it is an infinite forward path, then InJ{p, tt) = 
{q £ S \ p(x) - q for infinitely many x on w}. 

Definition: An automaton A accepts an infinite A-ary 2-tree /if and only if there is a run p of A 
on / such that for all infinite forward paths m, InJ(p, n) £ G. 

Theorem 3.1: The emptiness problem for an A-ary infinite tree automaton A with m states, i.e., the 
problem of deciding, whether or not A accepts any tree at all, can be decided in time 
0(exp exp mN). I 

Proof. Given an m state automaton on infinite A-ary trees, it is a straightforward exercise to 
construct an O(mN) state automaton on infinite binary trees, such that the two automata have 
equivalent emptiness problems. Hossley and Rackoff [8] give a decision procedure for the 
emptiness problem for automata on infinite binary trees which runs in time 0(cxp exp n), where // 
is the number of states of the automaton tested. I 



these two circuits (since Y, Z * 0, the loops cannot be singletons). The required loop for the join 
is x\o;x\t,x. In the case of rule (5), <s, X, t> is the expansion of a circuit <t, Y, u> € g mjn (y), 
where y is a neighbor of x. Inductively, there is a loop m on y for <t, Y, u>. The required loop 
for the expansion is x\tt;x. I 

Lemma 4.8: For all paths t;tt ending in a loop m on x, p(r;x | t;7t) € g mj „(x)- 

Proof. By induction on the length of w. Let s = p(t;x). If w is the singleton x, then by Lemma 
4.6, p(r;x I t;tt) = <s> € g mjn (x). If w = x;ju;x where ju. is a loop on a neighbor y of x, then 
inductively, p{r\x\y \ t;x;/a) £ g min {y)- Then, by rule (5) for plans, p(r;x \ t;x;tt) £ g min (x). If /i 
is not a loop, then by Lemma 4.1, \i contains x, i.e. jm = cpjx;^. Inductively, p{j\x \ t;x;<p;x), 
p(i-;x;<p;x | t;tt) € g min (x). Then, by rule (4) for plans, p(r;x \ r\m) € g mi „(x). I 

Lemma 4.9: The automaton A accepts an infinite tree /if and only if the minimal plan g mjn for A 
on / is good. 

Proof. First, suppose A does not accept / Then there is an infinite path it such that Infijp, w) £ 
(?, where p is the run of A on / If m is cyclic on x, then 77 = ju;ct;t where ct is a loop on x and 
p(/i;x) = p(ft;a) € p(ju;x, jii;a) = 7«/(p, -n). Then, by Lemma 4.8, p(/x;x | /x;<t) € g mjn (x), where 
p(/i;x) € p(ju;x, /x;ct) £ (7, so g /n is not good. If, on the other hand, m is acyclic, then by 
Lemma 4.2 there is an infinite forward path {x^} such that m = a;r ; . . . ;r n ; . . . , where each 

r n is a loop on x tf Let X = {pO^; ■ ■ ■ '^ n -v x n I T i ; • • • ' T n ^n>0- We leave il t0 the reader t0 
show that £ is a series for g mM on {x n }, but that Sum{$) £ G, so that g m/n is not good: 

Conversely, suppose that g . is not good. Then either there is a node x and a circuit <s, X, s> € 
g min {x) such that s € A" £ G or there is an infinite forward path {x n } and a series f = {<s n , X n , 
'„>} for g m/n on {■*„} such that Sum(^) € G. If the first case holds, then by Lemma 4.7, there is a 
loop x;7r;x such that for all paths t ending in x, if p(r) - s, then p(t, t;tt;x) = X and p(t;7t;x) 
= s. By Lemma 4.5, there is a path t ending in x such that p(r) = s. Let ju, = t;77-;x;7t;x;77-;x; ■ 
■ • We leave it to the reader to show that A rejects / because Infip, ju) = X (£ G. If the the 
second case holds, then, by Lemma -4.5, there is an infinite path /1 = t^t^, ' ' " such that for all n, 
r n is a loop on x n and <s rf X n t n > = p^; • ■ • ;T B .-,;x n | t x ; • • • ;r n ). Then /n/p, /1) = Sum{^) 
€ G, so that A rejects / in this case also. I 



Definition: If/is an infinite N-ary 2 Q -tree and g is an infinite N-ary Sj-tree, then the product tree 
f x g is an infinite ;V-ary (2 Q x E-^-tree defined by (f x g)(x) = </x), g(x)>. 



Theorem 4.10: Given a deterministic two-way automaton A with m states, there is a 
nondeterministic one way automaton B with no more than 0(exp 4 m) states which accepts exactly 
the trees accepted by A. Further, B can be constructed in time 0(exp 4 m). 
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The decision procedure for the emptiness problem depends crucially on the fact that every 
nonempty set of trees accepted by an automaton contains a finitely generable tree, i.e., a tree 
obtained by unwinding a finite graph. In chapter 5 we will use this fact to establish a finite 
model property for delta-PDL and a finite representation property for delta-converse-PDL. 

Definition: A frontier of T N is a maximal incomparable subset X of 7^, i.e., a subset X such that 
every element of T is either a descendant or an ancestor of some member of X, but no member of 
X is the descendant of any other member of X. 

Definition: A finite subtree of 7^ is a subset T of 7^ such that T — {x £ T N \ x < y for some 
y £ X}, where X is a frontier. The frontier of T, front(J), is X, and the interior of T, int(T), is 
T ~ front(T). A finite A-ary 2-tree is a map f. T -*■ 2, where T is a finite subtree of 7^. 

Definition: Given an automaton /i on infinite N-ary 2-trees and a finite N-ary 2-tree f. T -*■ H., a 
run of v4 on /is a function p: T -*■ S such that p(A) = 5 and for all x £ int(T), <p(jcO), . . . , 
p««-l))> £ M(p(x), Ml 

Definition: A generating map for a finite subtree T of 7^ is a function J: front(T) -* inl{T). Every 
generating map defines a unique function J*: T N -* T as follows: 

/*(A) = A 

J*(xn) = J*(x)n if J*(x) £ int{T), 

= J(J*(x))n if J*(x) £ front(T). 

Definition: An infinite 2-tree/is finitely generable if and only if there is a finite subtree T of 7^ 
and a generating map J such that f = f ° J*. 

Theorem 3.2 [8, 19]: If an automaton accepts at least one tree, then it accepts a finitely generable 
tree. 

Below we present an alternative formulation of automata on infinite trees. Pairs automata are 
equivalent to ordinary automata in the following sense: for every ordinary automaton, there is a 
pairs automaton which accepts exactly the same trees, and conversely. 

Definition: If J2 = {<L n , U n >} 1< ^ n< ^ k is a finite sequence of pairs of subsets of some set S, then 
let F Q = {X C S | X D L n = & X (1 U n * for some n}. Let Gq = Powerset(S) - F$ 
- {X C S I X n U n * -> X n L n * for all « }. Note that (? fl is closed under unions, 
i.e., if X, Y £ Gq, then X U Y £ % 

Definition: A /w/rs automaton [8, 18, 19] ,4 is a tuple CV, 5, A/, fl>, where S, s, and 71/ "arc defined 
as for an ordinary automaton and fi = {<7 . t/„>} , ^ „^ t is a finite sequence of pairs of subsets 

it til ^s fi ^v K 

of .V. A run of /4 on a tree /' is defined exactly as for an ordinary automaton. The pairs 
automaton A accepts fit' and only if there is a run p of A on /'such that for all infinite forward 
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infinite paths. A circuit of the form <s, X, s> with s € X indicates that A can cycle endlessly 
through the set X of states while travelling over a cyclic path, while a series describes the state 
history of A on an acyclic path. Lemma 4.9 will show that the minimal plan g mjn for A on /is 
good exactly when A accepts / Note that goodness is preserved under inclusion, i.e., if g and h 
are .two infinite A-ary Q- trees such that h is good and Vx € 7^. g(x) C h(x), then g is good. 
The lemma below follows immediately. 

Lemma 4.4: There is a good plan for A on / if and only if g . is good. 

Proof. The minimal plan g . is included in every plan for A on / so g min must be good if any 
plan for A on / is good. I 

The next series of lemmas show that the minimal plan g . contains precisely the circuits 
for all loops. 

Lemma 4.5: For all x € T N , if <s; X, f> € g min ( x ), then there is a path -n ending in x such that 
pW = s. 

Proof. If <s, X, O € g min (x) then there must be a derivation of this fact by rules (1) - (5) for plans. 
We proceed by induction on the structure of derivations. For case (1), the required path is the 
singleton x. If <s> 6 g mjn (x) by rule (3), then there is a circuit </> € g mi „(y), where t = M n (t, 
/v)) and y is the n lh neighbor of x. By induction there is a path t ending in y such that p(r) = i. 
The required path for <s> is t;x. Similarly for case (2). If <s, X, O 6 g min (x) by rule (4), then 
there is a circuit <s, Y, u> £ g min {x) such that Y U {u} C X. By induction there is a path m 
ending in x such that p(ir) - s. If <£ X, O € g min (x) by rule (5), then <s> € g min (x). By 
induction there is a path w ending in x such that p{n) = s. I 



Lemma 4.6: For all x £ T N and for all paths w ending in jc, <p(w)> € g m j n ^- 

Proof. We proceed by induction on the length of paths. If -n is a singleton, then p{m) = fy and 
<s > € g m/ „U) by rule (1). If tt - T,n, where t ends in A, then p(-n) = L n (p{r), /A)) and 
<p(77-)> € g min (x) by rule (2). Finally, if w = t,x, where t ends in y * A and x is the « r/l 
neighbor of y, then p(tt) = M n (p(r), fly)) and <p(m)> € 8 min (x) by rule (3). I 

Lemma 4. 7: For all x £ 7*^, if <s; X, O € g mi „(x) then there is a loop w on x such that for all 
paths of the form t;77, if p(t;x) = 5 then p(r;x, t;tt) = X and p(t;tt) = /. 

/'roo/i If <s, X, f> € g min (x) then there must be a derivation of this fact by rules (1) - (5) for plans. 
We proceed by induction on the structure of derivations. For the cases (1) - (3), the required loop 
is the singleton .v. In the case of rule (4), <.v, X, /> is the join of two circuits </, Y, u> € g ni j„(x) 
and <t>, /, n> € gmin^y sllc ' 1 that )', Z * 0. Inductively, there are loops .v;a;.v and x;t;x for 
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paths 77, InJ[p, v) € F$ (i.e., $. Gq). 

Pairs automata as defined above will not be used in this thesis. However, by reversing the 
standard definition of acceptance, we obtain a new type of automaton, the complemented pairs 
automaton. In chapter 5 we will use complemented pairs automata to decide the satisfiability of 
delta-PDL formulae. 

Definition: A complemented pairs automaton A is a. tuple <S, s, M, fl>, where S, s, M, and Q = 
{<L ^„>}!<„<^ are defined as for a pairs automaton. A run of A on a tree /is defined exactly 
as for a pairs automaton. However, the complemented pairs automaton A accepts f if and only if 
there is a ran p of A on /such that for all infinite forward paths m, lnj[p, ir) € Gq (i.e., € Fq). 

The fact that Gq is always closed under unions permits a simplified decision procedure for the 
emptiness problem for complemented pairs automata. The interested reader should compare the 
procedure below with that of Hossley and Rackoff [8] in order to fully appreciate the similarities 
and differences. Note that the running time of the procedure below depends both on the number 
of states and the number of pairs of the automata tested. In chapter 5 we will use complemented 
pairs automata where k, the number of pairs, is O(logm), where m is the number of states. The 
procedure below decides the emptiness problem for such automata in time 0(exp m), as opposed 
to time 0(exp exp m) for Hossley's and Rackoffs more general procedure. 

Definition: A string q 1 ■ ■ • q m 6 S* is good with respect to a complemented pairs automaton A = 
<S, s, M, Q> if and only if 3/ < m. q i = q m & {q j+1 , . . . , q m } € % 

Lemma 3.3: The set of strings which are good with respect to a complemented pairs automaton 
with m states and k pairs is accepted by a deterministic automaton on finite strings of size at worst 
0(exp exp(&+logm)). 

Proof. It is straightforward to construct a nondeterministic automaton on finite strings, with no 
more than 0(m x 2 k ) states, which accepts exactly the good strings. Applying the Rabin-Scott 
powerset construction yields the required deterministic automaton. I 

Definition: A finite N-ary E-tree / T -* 2 is good (with respect to A) if there is a run p of A on / 
such that for all x = ^ • ■ ■ n^'in the frontier of T, p(A)p(« 1 )p(« 1 « 2 ) ■ ■ • p(x) is good. 

Lemma 3.4: The set of good trees for a complemented pairs automaton with m states and k pairs is 
accepted by a deterministic automaton on finite N-ary trees with no more than 0(exp 
exp(£ + logm)) states. 

Proof Let B be the deterministic automaton on finite strings guaranteed by the preceding lemma. 
The desired tree automaton, given a tree / simulates A on /in order to construct a run of A on / 
while simultaneously using B to check every path of this run. I 
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an automaton, so we abbreviate <s, 0, s> to <s>. 

Notation: If p: P N -*■ S and t, 7t € P^, then p(t, ct) = {p(/i) | t < ju < v} and p(t | it) = 
<P(t), p(t, w), p(7r)>. 

Definition: Given an automaton ,4 and a tree / a />/a« for ^ on /is an infinite A-ary Q-tree g 
such that for all x £ T N : 

(1) <s > € g(x) 

(2) if <*> € g(A), then <L„U M))> € «(«) 

(3) if x * A and <s> £ gU) and j is the n' h neighbor of x, then <M n (s, J{x))> £ g(y) 

(4) if <s, X, f> £ g{x) and <t, Y, u> £ g(x) with X Y * 0, then <aU {t} U Y, u> £ 
g(j>c), in which case the resulting circuit is called the join of the original two. 

(5) if <s> £ g(x), y is the « rt neighbor of x, x is the m th neighbor of y, t = L n (s; /A)) if jc 
= A or A/ n (s, /(») otherwise, v = L n (u, 7(A)) if y = A or M n (s /(*)) otherwise, and 
<l, X, u> £ g(y), then <s, X U {t,u}, v> € g(x), in which case the resulting circuit is 
called the expansion of the first one. 

The above five conditions are intended to force a plan to include circuits for all possible 
loops through a tree, but they do not rule out the presence of circuits which do not correspond to 
any loop. It will be shown, however, that the least or minimal plan contains precisely the circuits 
for all loops. 

Lemma 4.3: For each automaton A and tree / there is a plan g in for A on /such that for all 
plans g for A on / and nodes x £ T N , g min (x) C g(x). 

Proof. Define g . as the pointwise intersection of all plans for A on f I 

Definition: Given a plan g and an infinite forward path {x n }, a series for g on {x n } is an infinite 
sequence of circuits {<s ;f X n t n >} such for all n, <s rf X n t n > £ g(x n ) and s n+l - M m (t lf A x „)) (° r 

L J-'rf & A ^ if X n ~ A ) if x n+l is the m ' h nei g hbdr of •*„■ 

Definition: If f is a sequence of circuits, then Sum(^) = {s £ S | s £ X U {t, u}, for infinitely 
many <t, X, u> on f}. 

Definition: An infinite A-ary Cytree g is good if and only if 

(1) for all x £ T N , if <s, X, s> £ g(x) and 5 £ J, then X £ G 

(2) for all infinite forward paths {* } and series £ = {<5 ;f X n , t>} for g on {x n }, 
Suntf) £ G 

The two conditions for goodness correspond to the two forms, cyclic and acyclic, of 
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Corollary 3.5: The goodness problem for a complemented pairs automaton A on infinite iV-ary 
trees with m states and k pairs, i.e., the problem of deciding whether A has a good tree, is 
decidable in time at worst 0(JV 3 x exp exp(£+logm). 

Proof. The preceding lemma shows that the goodness problem for A is equivalent to the emptiness 
problem for an automaton B on finite TV-ary trees of size at worst 0(exp exp(&+logm)). It is 
straightforward to construct an automaton C on Finite binary trees, of size at worst 0(N x exp 
exp(&+logm), such that C and B have equivalent emptiness problems. Rabin [R69] gives a 
decision procedure for the emptiness problem for automata on finite binary trees which runs in 
time 0(« 3 ), where n is the number of states of the automaton tested. I 

Theorem 3.6: If A accepts a tree, then A has a good tree. 

Proof. Suppose A accepts the infinite jV-ary 2-tree / Let p: T N -»• S be an accepting run of A 
on / We claim that for all infinite forward paths m, there is an x = n x • ■ • n k on m such that 
p(A) ■ • • p(x) is a good string. For if m - {•*■„} „>o is an infinite forward path, then X = Inf([p, 
•n) € Gq. For all n, let q n = p(x n ). Let / = min{n | Vw > n. q m € X}. Let; = min{« > i\ q n 
= Qj & {q i+ i, . . . , qj = X}. Let x = x x ■ • • ^ Then p(A) • ■ ■ p(x) = q Q ■ ■■«,.■ ■ ■ ^ with 
^. = ^. and {q i+1 , ■ ■ ■ , q) = X. So p(A) ■ ■ ■ p(x) is a good string. 

Let T = {x £ T N \Vy< x. p(A) ■ • ■ p(y) is not good}. We leave it to the reader to establish that 
T is a finite subtree of T N and that / restricted to T is a good tree. I 

Theorem 3.7: If ,4 has a good tree, then A accepts some tree. 

Proof: Suppose g is a good tree where g: T -* 2 and T is a finite subtree of 7^. 

Let a be a run of A on g which makes g good. Then ct(A) ■ ■ ■ a(x) is a good string for all x € 
fronl{T), i.e., there exists a y< x such that if x = yn Y ■ ■ ■ n k then o(x) = a{y) and {a{y), aiyn-^, . 
. . , o(yn l ■ ■ ■ «£_])} € Gq. Define a generating map J: front(T) -*■ int(T) by J(x) = y. Note that 
for all x € T, J*(x) = x, and that for x € T, J*(x) < x. Define f. T N -> 2 by f = g ° J*; i.e., / 
is the finitely generable tree generated by g and J. Similarly, extend a to 7^ by defining p - a 
° J*. We leave it to the reader to prove that p is a run of A on / 

We claim that p is an accepting run of A on / For suppose -n = {*„}„>o is an infinite forward 
path. Let y n = J*(x n ) for « > and let Y = InftJ*, m). The interior of T is finite, so 3i. Y = 
{y n \ n ^ '}■ Al so > by the definition of / and J*, y m+ i is either a successor or an ancestor of y m 
for all m. Let Z = {j € m/(7) | J{zn) < y < z for some z £ T, zn € fron(T), J(zri) £ Y} - {y 
€ M7) I J m+1 < J < y m for some m > /}. 

We claim that Y = Z. For suppose that y k € Z for some & > /. We shall show that for all m > 
i, if v > v,, then v, , , > >.. For suppose v > j. for some m > /. We know that y , is either 
a successor or an ancestor of j' m . If y m+l is an ancestor of y m . then >' m+1 < y m and j^. < y m 
imply that cither y m+] < y k or y m+[ > ;> A .. But y m+l < y k and y k < j m imply that y k € Z, 
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Definition: A deterministic two-way automaton on infinite N-ary H-trees is a tuple A - 
<S, 5 , L, M, G>, where 

(1) S is a finite set of states. 

(2) 5 € 5 is the initial states. 

(3) L: S x 2 -*■ S N is the next state map for the root; for s € S and a € 2, let L(s, a) = 
<L (5, a), . . . , L^s, a)>. Informally, if A is in state 5 on the root, labelled a, then A 
will be in state L (s, a) on the node n. 

(3) M: S x 2 -*■ 5 , -' v+ ! is the next state map for non-root nodes; for s € S and a € 2, let 
.A/(s, a) =<Mq(s, a), . . . , M^s, ct)>. Informally, if A is in state s on a node labelled 
a, then ^4 will be in state M n (s, a) on the n th neighbor of that node. 

(4) G C Powerset(S) is a collection of acceptable sets of states. Informally, A accepts a 
tree if for every infinite path v, G contains the set of states entered infinitely often 
along 17. 

Definition: The run of a two-way automaton A on an infinite 7V-ary 2-tree / is the function 
p: P N -* S such that 

(1) If it is a singleton, p(ir) = s Q . 

(2) If it is a path ending in A, p(ir;n) = LJ[p(tt), /A)). 

(3) If 77 is a path ending in * * A and y is the « rt neighbor of x, p{ir\y) = 
M„(p(77), Ax)). 

Definition: If p is the run of A on / and tt is an infinite path, then Inj{p, 77) = 
{s € S I p(t) = 5 for infinitely many finite paths t < 77}. 

Definition: A two-way automaton ^ accepts an infinite N-ary 2-tree /if and only if for all infinite 
paths 77, 7«/p, 77) € G, where p is the run of A on / 

Lemma 4.2 shows that an infinite path tt can take only two forms: either 77 loops endlessly 
on a single node or else 77 passes through all the nodes of an infinite forward path, looping 
(perhaps trivially) on each one. This suggests that a one-way automata might be able to simulate a 
two-way automata by successively guessing state information about the loops on each node. This 
method of simulation is successful because it is possible for an automaton to check that the guesses 
include information about all possible loops. 

Definition: If S is a set of states, then a circuit is an element <s, X, f> where s, t £ S and X C S. 
The collection of sets of circuits is denoted by C s . Intuitively, a circuit represents the state history 
of a two-way automata as it passes through a loop: s and / are the initial and final states and X is 
the set of intermediate states. A circuit of the form <.v, 0, s> represents the instantaneous state of 
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contradicting the hypothesis, so y m+l > y k . If y m+ \ is a successor of y m , then y m+ i > y k also. 

Hence, for all m > i, if y m > ^ then j m+1 > .y^. Therefore, for all m > £ if}' > j^, then for all 
l> m, y t > y k . Therefore, if 3y € T. .y > y k , then Vj 6 K y > y^. But >^ +1 is either a successor 
or an ancestor of y k . But if y k+l is a successor of y k , then 3j> € Y. y > j^, implying Vy € K .y > 
y k , implying y k > >> yt , a contradiction. And if }^ +1 is an ancestor of y k , then y k+l < y k and y k < 
y k , implying y k € Z, contradicting the hypothesis. Therefore, V& > /. j^ € Z, i.e., T C Z. 

Conversely, suppose that z € Z, but z <£ Y. Then for some & > *; y k+l < z < y k . But y jfe+1 = 
z or y k - z contradicts the hypothesis that z € Y, so j A;+1 < z < ^. We shall show that for all m 
> t, if >- m + 1 > 2-, then y m > z. For suppose ^ m+1 > z for some w > /. We know that y m+ i is 
either a successor or an ancestor of y . If y m+l is a successor of y m then >' m+1 > z implies that 
y m > z. But y m = z implies that z € T, contradicting the hypothesis, so y > z. If y m+ i is an 
ancestor of v , then v > z also. 

Hence, for all m > i, if v , -, > z, then v > z. Therefore, for all m > i, if v > z, then for / < / 
< m, y s > z. Since F = {y \ y m - y for infinitely many m}, if3y£ Y. y> z, then Vy € K ^ > z. 
But y fc , _v Jt+1 € Y, yet y k+1 < z < y^ a contradiction. Therefore, Z C Y. This concludes the 
proof that Y = Z. 

Hence, Inffp, it) = {o(y) \ y £ Y} = U(y) I y £ Z] 

= (ff(y) I 7 m +i < J' < J m f or some m > /} 

= {oiy) I J(zn) < y < z for some z € 7, z« € /ro«(7), /(z«) € Y] 

= U z€Y,zn£fronKT)^n)£Y ^'> I •**«) < J' < *}■ 

By the construction of /, each set {o(y) | i(z«) < >> < z} € Gq. Since Gq is closed under 
unions, lnf(p, n) £ Gq. Since Inf^p, w) £ Gq for all infinite forward paths it, p is an accepting 
run for A on f. Therefore A accepts / I 

Theorem 3.8: The emptiness problem for complemented pairs automata on infinite N-ary trees with 
m states and k pairs can be decided in time at worst 0(N* x exp exp(&+logm)). 

Proof. The two preceding theorems show the equivalence of the emptiness and goodness problems 
for complemented pairs automata. The result follows immediately from Corollary 3.5. I 
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4 Two-Way Automata on Infinite Trees 

Analogously to two-way automata on finite strings, we can define two-way automata on 
infinite trees. Two-way automata compute along all infinite paths through a tree, i.e., 
computations begin at all the nodes of the tree and branch in all directions, including back towards 
the root. It is technically convenient to allow two-way automata to distinguish the root from all 
other nodes. Theorem 4. 10 shows how to simulate deterministic two-way automata by 
nondeterministic one-way automata; we do not know whether this result can be extended to 
nondeterministic two-way automata. First, however, infinite trees and paths through infinite trees 
are defined, and some simple results proved about the structure of paths. 

Definition: Recall that T N is an infinite iV-ary tree. Two nodes x and y of 7^ are neighbors when 
either x is a successor of y or y is a successor of x. For < n < N-\, the n lh neighbor of x is xn; 
if x is the successor of y, then y is the N lh neighbor of x. 

Definition: A finite (infinite) path on 7^ is a finite (infinite) sequence {x n } of elements of 7^ such 
that all n, x n and x n+l are neighbors. Let P N denote the set of finite paths on the tree 7^. If m 

- {*„}}<„</ and t = {x„} L+i <„< M are two f" lrnte P atns sucn mat x l anc * x L+l are 
neighbors, then the concatenation of it and r is m\T = {*„}i<„<ji/ (defined similarly if t is an 
infinite path). The relation <n < t holds if and only if t = -n;a for some nonempty path a. A 
forward path is a path {* } such that x n+1 is a successor of x n for all n. A loop on x is a finite 
path { Jf „}i<„<^r such that x^ — x N = x. A simple loop is a loop x;m\x such that m does not 
contain x. A singleton is a path consisting of a single element. An infinite path -n is cyclic on x if 
and only if x occurs infinitely often in 77; w is acyclic if and only if it is not cyclic on any x. 

Lemma 4.1: If x;-n;x is a simple loop, then f is a loop. 

Proof: Since x;tt;x is a path from x to itself, 77 must begin and end with neighbors of x. Any 
path, however, which connects two distinct neighbors of x must include x. Hence, if -n does not 
include x, ir must begin and end with the same neighbor of x. I 

Lemma 4.2: If m - {•*„}„>() is an infinite acyclic path, then there is an infinite forward path 

&r)n>0 SUC ^ tnat "" ~ CT ' T 0' - ■■ " ' T n- • • • < w l lere eac h T „ * s a ^ 00 P on >V 

Proo/I Clearly, ti must contain a least element x. Let a be a (possibly empty) initial segment of ir 
preceding some occurrence of x in v. Let >' be x and let t be that segment of m which extends 
from a to include the last occurrence of x in it, so that t q is a loop on y^. Inductively, given y n 
and t = {x },^- ^ ,,„ let y , , = jf,,,-, and let t , , be tliat segment of m which extends 
from ct;t7' . . . ;t to include the last occurrence of v , , in 77, so that t l , is a loop on v„. ,. 
The reader can verify lh.it {.)' H } >.q is an infinite forward path. I 



